CT5760 Centralized Configuration Example

Network Topology

The diagram in Figure 3-1 shows the network topology with only the Unified Access CT5760 controller in a centralized deployment.

Figure 3-1 Network Topology Centralized Configuration

VLANs and IP Addresses

Table 3-1 VLANs and IP Address by Device

Device

VLAN

IP Address

DHCP Server

Gateway

10.10.100.1 / 10.10.200.1

Cisco Prime Infrastructure

200

10.10.200.30

Cisco ISE

200

10.10.200.60

Anchor WLC

300

192.168.1.5

Core Switch

200, 100

10.10.100.1 / 10.10.200.1

AP

200

DHCP

5760 WLC

200

10.10.200.5

Client VLAN

100

DHCP

Management VLAN

200

10.10.200.5

NTP Server

Gateway

10.10.200.1

CT5760 Controller Configuration Example using CLI

Before you start the controller configuration, ensure that there is complete connectivity between all of the switches in the configuration above.

Console Connection

Before you can configure the switch or controller for basic operations, you must connect it to a PC that uses a VT-100 terminal emulator (such as HyperTerminal, ProComm, or Putty).

The controller has both EIA/TIA-232 asynchronous (RJ-45) and USB 5-pin mini Type B, 2.0 compliant serial console ports. The default parameters for the console ports are 9600 baud, eight data bits, one stop bit, and no parity. The console ports do not support hardware flow control. Choose the serial baud rate of 9600; if you have issues, try a baud rate of 115200.Figure 3-2 shows an example of a Mac Secure CRT; use similar for PC/Windows Putty, and so on.

Figure 3-2 Mac Secure CRT Example

Startup Wizard

Before you launch the startup wizard, have your IP addresses and VLANs information available. Start without the wizard/initial configuration dialog (check the initial configuration).

% Please answer 'yes' or 'no'.

Would you like to enter the initial configuration dialog? [yes/no]: no

Would you like to terminate autoinstall? [yes]:

Controller>

Press RETURN to get started!

Start with the wizard/initial configuration dialog (check the initial config).

Enable secret warning

----------------------------------

In order to access the device manager, an enable secret is required

If you enter the initial configuration dialog, you will be prompted for the enable

secret

If you choose not to enter the initial configuration dialog, or if you exit setup

without setting the enable secret,

please set an enable secret using the following CLI in configuration mode-

enable secret 0 <cleartext password>

----------------------------------

Would you like to enter the initial configuration dialog? [yes/no]: yes

At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'.

Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system

Would you like to enter basic management setup? [yes/no]: yes

Configuring global parameters:

Enter host name [Controller]: CT5760-Controller

The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration.

Enter enable secret: Cisco123

The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images.

Enter enable password: Admin123

The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: Cisco123

Configure a NTP server now? [yes]: yes

Enter ntp server address : 10.10.200.1

Enter a polling interval between 16 and 131072 secs which is power of 2:16

Do you want to configure wireless network? [no]: yes

Enter mobility group name: New-Mobility

Enter the country code[US]:US

Setup account for accessing HTTP server? [yes]: yes

Username [admin]: admin

Password [cisco]: Cisco123

Password is UNENCRYPTED.

Configure SNMP Network Management? [no]: no

Current interface summary

Any interface listed with OK? value "NO" does not have a valid configuration

Interface

IP-Address

OK?

Method

Status

Protocol

Vlan1

unassigned

NO

unset

up

down

GigabitEthernet0/0

unassigned

YES

unset

up

up

Te1/0/1

unassigned

YES

unset

down

down

Te1/0/2

unassigned

YES

unset

down

down

Te1/0/3

unassigned

YES

unset

down

down

Te1/0/4

unassigned

YES

unset

down

down

Te1/0/5

unassigned

YES

unset

down

down

Te1/0/6

unassigned

YES

unset

down

down

Enter interface name used to connect to the management network from the above interface summary: GigabitEthernet0/0[service port)

Version

The CT5760 controller currently ships with release 3.2.01 or release 3.3.0. You can check this using the command:

WLC5760#show version

Snip…

Switch Ports Model SW Version SW Image Mode

------ ----- ----- ---------- ---------- ----

* 1 6 AIR-CT5760 03.03.01SE ct5760-ipservicesk9 INSTALL

It is recommended to upgrade to software release 3.3.3 and later. Latest software codes are available on Cisco.com. It is best practice to go through the release notes before upgrading to that software code. Please follow the steps in the Cisco IOS-XE software upgrade document.

To display the WCM and IOSd versions, use the following command:

#show version running

To display the AP version, use the following command:

#show ap name apname config general

Accessing the CT5760 Controller Web GUI

You can access the GUI by configuring the out of band management port (GigE 0/0) or by using existing reachable configured interfaces through the network. i.e. create a VLAN and L3 interface to reach the controller.

For best GUI experience, it is best practice to follow the below listed steps:

1. Use the following list of supported browsers:

Chrome - Ver. 26.x +

Mozilla - Ver. 20.x +

IE - Ver. 8.x, 9.x and 10.x

2. Upgrade the controller to the latest software version that has additional features and GUI support.

3. You must create a username and password to access the GUI. You can configure a local username by issuing the CLI below or you can configure it to use credentials using an authentication server. Make sure the user has privilege 15 as an access level.

4. By default, https is enabled. You can access the web GUI through https, but if you want to enable http access, you can do so by issuing the CLI below:

WLC5760(config)#username username privilege 15 password password

WLC5760config)#ip http server

WLC5760(config)#ip http secure-server

WLC5760(config)#ip http authentication local

Note The ip http authentication local CLI command is not configured by default in older releases. However, it is configured by default in recent releases. Ensure that it is configured once you upgrade to the latest release.

Now, you will be able to access the Web GUI interface. Open a browser and type your controller/switch IP address. Example, https://10.10.10.5/. Please refer to the GUI access example below.

Enable Network Time Protocol (NTP) and Setup Time

NTP is very important for several features. It is mandatory to use NTP synchronization on controllers if you use any of these features—Location, SNMPv3, access point authentication, or MFP. The WLC supports synchronization with NTP using authentication.

You can setup NTP during the Initial Wizard configuration. To enable the NTP server use the following command:

WLC5760(config)#ntp server <ip_address>

Controller Time:

It is important to setup the correct time on the controller so that the AP can join the controller.

WLC5760#clock set hh:mm:ss day month year

Country Code settings:

Ensure that you have the correct Country Code set on your controller. To see the current Country Code configured on your controller, please issue the following CLI:

WLC5760(config)#show wireless country configured

Configured Country.............................: US - United States

Configured Country Codes

US - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

To change the country code on your controller, please follow the steps below:

WLC5760(config)#ap dot11 24ghz shutdown

WLC5760(config)#ap dot11 5ghz shutdown

WLC5760(config)#ap country ?

WORD Enter the country code (e.g. US,MX,IN) upto a maximum of 20 countries

Wireless Management Interface

Configuring the Wireless management interface enables the APs to join the controller. Wireless management interface can be configured as part of the Startup Wizard or can be configured by issuing the following command:

WLC5760(config)#wireless management interface vlan 200

Note You need not configure AP Manager or dynamic interfaces on the 5760 controller.

Default Gateway

The 5760 controller does not support routing. You must define a default gateway on the controller pointing to the default gateway responsible for routing in the network.

Here is how to define a default gateway:

WLC-5760 (config)#ip default-gateway 10.10.200.1

Multicast Forwarding Mode

You must enable the capwap multicast forwarding mode as multicast, even if the multicast forwarding is not enabled. This mode is called Multicast Multicast (MCMC). To use this mode, you must configure a multicast group on your controller. Each AP connected to the controller subscribes to this multicast group, and can receive the multicast flow. You can enable MCMC and configure the multicast group with this command:

WLC5760(config)#ap capwap multicast 239.3.3.3

The multicast address is used by the controller in order to forward traffic to access points. It is important that it does not match another address in use on your network by other protocols. For example, if you use 224.0.0.251, it breaks mDNS used by some third party applications. It is recommended that the address be in the private range (239.0.0.0 - 239.255.255.255, which does not include 239.0.0.x and 239.128.0.x.). It is also important that the multicast IP address be set to a different value on each WLC. You do not want a WLC that speaks to its access points to reach the APs of another WLC.

If the access points are on a different subnet than the one used on the management interface, your network infrastructure must provide multicast routing between the management interface subnet and the AP subnet.

Note Do not enable wireless multicast unless it is needed. You might need to enable multicast forwarding in certain networks with heavy multicast application such as Video Streaming, or Bonjour without mDNS proxy, and with large IPV6 client counts.

To configure multicast forwarding on the WLC, use the following command:

DHCP Snooping and Trust Configuration on CT5760

It is recommended to use external DHCP server instead of internal DHCP server. DHCP snooping configuration is required on the controller for proper client join functionality. DHCP snooping must be enabled on each client VLAN including the override VLAN, if override is applied on the WLAN. The following example shows how to configure DHCP snooping.

Global DHCP Snooping Configuration:

ip dhcp snooping

ip dhcp snooping vlan 100, 200

Enable the bootp-broadcast command. This command is used by clients who send DHCP messages with broadcast addresses and the broadcast bit is set in the DHCP message.

ip dhcp snooping wireless bootp-broadcast enable

On the Interface:

Note If upstream is via a port channel, the trust configuration must be configured on the port channel interface as well.

interface TenGigabitEthernet1/0/1

description Connection to Core Switch

switchport trunk allowed vlan 100, 200

switchport mode trunk

ip dhcp relay information trusted

ip dhcp snooping trust

Note DHCP snooping must be configured on the Guest Anchor controller for guest access similar to the configuration above.

If you are using an ip-helper address on the interface, you must modify option 82 behavior:

On the DHCP Snooping Device

no ip dhcp snooping information option

OR

On the DHCP Relay Device (per interface)

ip dhcp relay information trusted

On the DHCP Relay Device (global configuration)

ip dhcp relay information trust-all

WLAN Configuration

When configuring your WLANs, it is best practice to enable Band Select, Fast SSID change, and lower the number of SSID configured on your controller.

Enable Band Selection

Band selection enables client radios that are capable of dual-band (2.4 and 5 GHz) operation to move to a less congested 5 GHz access point. The 2.4 GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of three non-overlapping channels. To prevent these sources of interference and improve overall network performance, you can configure band selection on the controller.

Band selection is enabled or disabled globally by default.

Band selection works by regulating probe responses to clients. It makes 5 GHz channels more attractive to clients by delaying probe responses to clients on 2.4 GHz channels.

Do not use band selection for voice, as it can slow down roaming.

Some client types do not work well with band selection enabled.

Most new clients prefer 5 GHz by default.

Do not use band selection on high-density designs.

To Enable or disable band selection on specific WLANs:

WLC5760(config-wlan)#band-select

Enable Fast SSID Changing

When fast SSID changing is enabled, the controller allows clients to move faster between SSIDs. When fast SSID is enabled, the client entry is not cleared and the delay is not enforced. This configuration is very important to have for supporting Apple IOS devices.

The fast SSID change is enabled globally on the controller. To enable fast SSID change:

WLC5760(config)#wireless client fast-ssid-change

WLAN Configuration Example

Configure a WLAN and assign a client VLAN. Use WPA/PSK for security, and the passkey is cisco123.

wlan corporate 1 corporate band-select

client vlan 100

no security wpa akm dot1x

security wpa akm psk set-key ascii 0 cisco123

no shutdown

Enter this command to allow management over wireless.

wireless mgmt-via-wireless <cr>

Voice WLAN

If you are deploying a voice WLAN, apply the best practices below for Voice WLAN configurations:

Enable Voice acm and sip CAC on both the 2.4 GHz and 5 GHz bands under global Config:

Best practices for Central (CWA) and Local (LWA) WebAuth configurations:

Release 3.3.3SE and later are the recommended releases for any web-auth network deployments.

Configure the virtual-ip under the global parameter-map to drop the unauthenticated HTTPS traffic for the LWA scenario.

Configure per user max HTTP connections (15) and web-auth state time out (5 min) for LWA scenario.

This is how to apply the configuration:

parameter-map type webauth global

virtual-ip ipv4 <virtual-ip>

timeout init-state sec 300

max-http-conns 15

Configure only HTTP redirect in the redirect ACL for central web-auth (CWA) scenarios.

WLC5760(config)#ip access-list extended cwa_redirect_acl

WLC5760(config-ext-nacl)#permit tcp any any eq www

Configure Parameter-Map Section in Global Configuration

The parameter map connection configuration mode commands allow you to define a connection- type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map.

! First section is to define our global values and the internal Virtual Address.